389-ds-base-1.3.6.1-19.el7

エラータID: AXSA:2017-2225:06

Release date: 
Thursday, September 14, 2017 - 20:51
Subject: 
389-ds-base-1.3.6.1-19.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

389 Directory Server is an LDAP version 3 (LDAPv3) compliant server. The base
packages include the Lightweight Directory Access Protocol (LDAP) server and
command-line utilities for server administration.

Security Fix(es):

* A flaw was found in the way 389-ds-base handled authentication attempts
against locked accounts. A remote attacker could potentially use this flaw to
continue password brute-forcing attacks against LDAP accounts, thereby bypassing
the protection offered by the directory server's password lockout policy.
(CVE-2017-7551)

Bug Fix(es):

* In a multi-replication environments, if operations in one back end triggered
updates in another back end, the Replica Update Vector (RUV) of the back end was
incorrect and replication failed. This fix enables Directory Server to handle
Change Sequence Number (CSN) pending lists across multiple back ends. As a
result, replication works correctly. (BZ#1476161)

* Due to a low default entry cache size value, the Directory Server database
had to resolve many deadlocks during resource-intensive tasks. In certain
situations, this could result in a "DB PANIC" error and the server no longer
responded to requests. After the server was restarted, Directory Server started
with a delay to recover the database. However, this recovery could fail, and the
database could corrupt. This patch increases the default entry cache size in the
nsslapd-cachememsize parameter to 200 MB. As a result, out-of-lock situations or
"DB PANIC" errors no longer occur in the mentioned scenario. (BZ#1476162)

* Previously, if replication was enabled and a changelog file existed,
performing a backup on this master server failed. This update sets the internal
options for correctly copying a file. As a result, creating a backup now
succeeds in the mentioned scenario. (BZ#1479755)

* In certain situations, if the server was previously abruptly shut down, the
/etc/dirsrv//dse.ldif configuration file became corrupted. As a consequence,
Directory Server failed to start. With this patch, the server now calls the
fsync() function before shutting down to force the file system to write any
changes to the disk. As a result, the configuration no longer becomes corrupted,
regardless how the server gets stopped. (BZ#1479757)

CVE-2017-7551
389-ds-base version before 1.3.5.19 and 1.3.6.7 are vulnerable to
password brute-force attacks during account lockout due to different
return codes returned on password attempts.

Solution: 

Update packages.

CVEs: 
CVE-2017-7551
389-ds-base version before 1.3.5.19 and 1.3.6.7 are vulnerable to password brute-force attacks during account lockout due to different return codes returned on password attempts.
Additional Info: 

N/A

Download: 

SRPMS
  1. 389-ds-base-1.3.6.1-19.el7.src.rpm
    MD5: 085ef0eb7eb720b380c218b68a5ef89f
    SHA-256: 56fa928329c45797e1b0743139947ebe6e630ad70e01b73ff08baf6239ea85da
    Size: 3.57 MB

Asianux Server 7 for x86_64
  1. 389-ds-base-1.3.6.1-19.el7.x86_64.rpm
    MD5: 2b6f5109a43a2b05f7b06677532ed5f3
    SHA-256: 789c105d2668ecadd232f7b33b41c9a7818dfb85d48f05a340ee2508c4a0972d
    Size: 1.70 MB
  2. 389-ds-base-libs-1.3.6.1-19.el7.x86_64.rpm
    MD5: c846455f4ba3bf31506d10fd6b4ef054
    SHA-256: a32e8eae873cd5e5a766fbeddd44b8ca14001ac0d5f2fe95669d02d813fc5146
    Size: 677.44 kB